GRAND THEFT TELEMATICS: Firm finds security flaws that threaten vehicle safety

By Francis Allan L. Angelo

A critical vulnerability discovered by Kaspersky researchers has exposed the full telematics infrastructure of a major automotive manufacturer, enabling unauthorized control over connected vehicles and raising serious concerns about driver safety.

Presented at the Security Analyst Summit 2025, the security audit revealed that attackers could remotely manipulate essential vehicle systems—such as engine shut-off or forced gear shifts—through a zero-day flaw in a contractor’s web-based application.

Kaspersky’s investigation began with a remote audit of the carmaker’s public services and its contractor’s infrastructure, where researchers identified multiple exposed web applications.

The initial entry point was a zero-day SQL injection vulnerability in a publicly accessible wiki application, which allowed extraction of user credentials stored as password hashes.

Some of the hashes were cracked due to weak password policies, granting access to the contractor’s issue tracking system and exposing detailed configurations of the manufacturer’s telematics infrastructure.

Among the leaked data was a file containing hashed passwords for user accounts tied to one of the carmaker’s vehicle telematics servers, giving researchers a foothold into the connected vehicle environment.

Telematics systems in modern vehicles collect and transmit critical data such as speed and location, and are essential to connected vehicle functions.

Further probing revealed a misconfigured firewall that exposed internal servers, enabling researchers to use a service account password to access the server file system and uncover more credentials.

These credentials, tied to another contractor, granted full administrative access to the telematics platform and allowed firmware manipulation on the Telematics Control Unit (TCU).

Using a firmware update command, the researchers uploaded modified firmware that granted access to the vehicle’s Controller Area Network (CAN) bus—a system that links vital vehicle components such as the engine and sensors.

This full access to the CAN bus enabled remote control of core systems including engine and transmission, posing a severe risk to physical safety.

“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage,” said Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment.

Zinenko warned that the breach underscores how “a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles.”

Kaspersky has urged contractors to take immediate steps including restricting internet access to services via VPN, isolating systems from corporate networks, enforcing strong passwords, implementing 2FA, encrypting sensitive data, and integrating logging into a SIEM system for real-time threat monitoring.

For vehicle manufacturers, the cybersecurity firm recommends isolating the telematics platform from the in-vehicle network, using allowlists to control communication, disabling SSH password authentication, limiting service privileges, and verifying the authenticity of commands sent to TCUs.

The incident highlights the growing importance of third-party cybersecurity practices in the automotive sector as vehicles become increasingly software-defined and connected.

Kaspersky ICS CERT, which specializes in threats targeting industrial automation and the Industrial Internet of Things (IIoT), has reported hundreds of vulnerabilities over the years to help secure critical systems.

Kaspersky, founded in 1997, protects over a billion devices globally and provides advanced cybersecurity solutions to individuals, enterprises, and governments worldwide.

The company said the findings should prompt the automotive industry to urgently reassess its cybersecurity posture and prioritize resilience across the entire connected ecosystem.